has our email account been hacked ?

[php-martin]

First off, I'm not sure this is the right place to post this message - if so, sorry.

We are receiving hundreds of messages containing viruses that appear to be coming from ourselves.

They have non-existant account names, but with our domain - ie

support[at]php-architects

tech[at]php-architexts

webmaster[at]php-architects

your.account[at]php-architects

etc.

Typical header is shwon below.

Our service provider is sending us warnings for sending out viruses too.

We've checked our server / workstations for viruses, and even disabled our server from sending mails - but are still receiving them.

Has our email server been hacked - or is there anything we can do to block them ?

Many thanks

Martin

Return-Path: <mail[at]php-architects.co.uk>
Delivery-Date: Thu, 14 Jul 2005 01:57:14 +0100
Received: from c2bthimr04.btconnect.com (actually host 204.73.73.194.in-addr.arpa) by dswu231.btconnect.com with SMTP-IBMR (XT-PP) with ESMTP; Thu, 14 Jul 2005 01:57:07 +0100
Received: from php-architects.co.uk (rrcs-65-34-29-246.se.biz.rr.com [65.34.29.246])
	by c2bthimr04.btconnect.com (MOS 3.5.8-GR)
	with ESMTP id BJI13382;
	Thu, 14 Jul 2005 01:57:05 +0100 (BST)
Message-Id: <200507140057.BJI13382[at]c2bthimr04.btconnect.com>
From: mail[at]php-architects.co.uk
To: jimmy[at]php-architects.co.uk
Subject: Members Support
Date: Wed, 13 Jul 2005 20:57:12 -0400
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
Content-Type: multipart/mixed; boundary="MIRAPOINT_PART1_42d5b864"
X-Mirapoint-Virus: VIRUSDELETED;
	host=c2bthimr04.btconnect.com;
	attachment=[2.2];
	virus=W32/Mytob-DG

This is a multi-part message in MIME format.

--MIRAPOINT_PART1_42d5b864
Content-Type: text/plain; charset=UTF-8
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

Virus warning from BT Business

This message contained a computer virus which has been detected and removed by the BT Business Email Virus Filter to avoid infecting your computer.  

You may wish to contact the sender of this email requesting they remove any virus infection from their PC before re-sending the email and any attachment to you, virus-free.

Attachment: rrv.zip
Problem: virus infected W32/Mytob-DG
Action taken: deleted

[agsteele]

Has our email server been hacked - or is there anything we can do to block them ?

30341[/snapback]

Hi Martin!

I doubt your server has been hacked. You say you've checked and can find no indication of the messages having gone out from your system which is a good thing.

Much more likely is that somebody else has found their PC infected and their PC is sending this junk to you.

These viruses/trojans are now harvesting domain names from infected machines and then sending copies of the virus to a range of common usernames such as postmaster, admin, support etc etc etc.

The fact that the destinations you have seen do not exist supports this in your case.

You simply need to remind your users not to open such messages and double check you are properly protected again viruses and have adequate outgoing firewall protection just in case someone does open an Email attachment in error.

As for blocking them... I guess you'd need to set up Email filtering on messages addressed to these non-existent addresses.

Andrew

[php-martin]

Many thanks for the quick reply Andrew.

We're up to date with our fire-wall and Virus protection right across our network.

I'll put a filter on our email server to cut these messages out - I was worried that they were coming from within.

Just wondering why we are getting warnings from our ISP for sending viruses though ?

Even though these messages may originate from elsewhere, would they still trigger our ISP to warn us for sending viruses ?

thanks,

Martin

[Miss Betsy]

Just wondering why we are getting warnings from our ISP for sending viruses though ?

Even though these messages may originate from elsewhere, would they still trigger our ISP to warn us for sending viruses ?

thanks,

Martin

30343[/snapback]

The Mytob (and others) viruses are made to look like they are coming from your ISP with a warning.

If you can get the headers without opening the email, then you can cut and paste them into the SpamCop web parser and find out the IP address where they are coming from and notify that administrator. (or sign up for a free SpamCop reporting account and report them). Smaller ISPs will stop them immediately. It can take up to a month for larger ISPs.

The only way I know to get headers without opening is in Outlook Express (doesn't work in Outlook). Right click on email->Properties-> Details->Message Source. You don't have to copy the attachment. And do not forward a 'live' virus as a report; delete the viral attachment. My anti virus deletes the attachment and puts the name of the virus in the email so my subject line is "xxxx virus via xxx.xxx.xx.xx IP address" However, don't send reports to who they suggest.

Miss Betsy

[Jeff G.]

It appears that, in this particular case, the infected computer is rrcs-65-34-29-246.se.biz.rr.com [65.34.29.246], the worm is being allowed to relay through your server c2bthimr04.btconnect.com [194.73.73.204] to your smarthost dswu231.btconnect.com, and BT is taking exception. Please see the details at http://www.spamcop.net/sc?id=z787232248zae...e33080e096d900z, close the relay, and report this particular worm to abuse[at]rr.com.

It could also be that your host c2bthimr04.btconnect.com [194.73.73.204] is actually the one that is infected, as it doesn't seem to be running a mailserver at this time.

Thanks!